MS13-004 patch for .Net 1.1 is re-offered on Windows XP systems even though patch binaries are updated successfully

Recently I found an issue with latest release of MS13-004 patch. MS13-004 patch for .Net 1.1 is re-offered on Windows XP systems even though patch files are updated successfully. I collected and reviewed the below logs but didn’t find any meaningful information on the re-offer issue.


MBSA and WSUS both have same detection logic as they have the same source. I tried the below scenario :

First, set the registry keys

To turn on verbose logging, add the following registry key with two values:
Value name: Flags
Value type: REG_DWORD
Value data: 000000016 <<< this is HEX 16

Value name: Level
Value type: REG_DWORD
Value data: 00000004 <<< make this as 4

•Have the system with .Net 1.1 SP1 and KB979906 installed.
•Scan Windows Update and see if KB2742597 gets offered first
•Scan Windows Update again and see if KB2742597 gets re-offered

Collect the logs: %systemroot%\Windowsupdate.log file and “%temp%\NDP1.1sp1-KBXXXXXXX-X86\*.log"

Now, if I just uninstall KB979906 the version of mscorees.dll is reverted to the version that is stated in the article. Here is a screen shot of the file properties for mscorees.dll located in c:\windows\system 32\mui\0409 before and after I uninstalled KB979906:

Before uninstalling kb979906:

After uninstalling kb979906:

I did further investigation on this. Mscorees.dll not being updated by KB27425997 is by the design of MSI technology. KB979906 transform shows mscorees.dll is 4.0.31106.0 and KB27425997 also shows mscorees.dll 4.0.31106.0. This gives MSI the impression if mscorees.dll is installed by KB979906 before then it does not need to be installed by KB27425997 again.

Secondly, the end user’s machine should never end up with the state where shared component goes back to an older version. As long as KB979906 is on the box, mscorees.dll should have a version 4.0.31106.0 or higher. One possible reasons is that on those machines impacted, a different setup technology could have been used in order to install third-party software that touches mscorees.dll.

That’s being said, the work-around solution for those impacted machines, un-installing and re-installing KB979906 should do the trick. Another simple fix for this should be to repair .Net 1.1 after installing KB2742597. The repair command line:

msiexec /fomus {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}